Systems that monitor network traffic for an organization typically compare network traffic such as data packets or groups of data packets with a group of rules to determine whether that network traffic is suspicious or potentially malicious. If the network traffic satisfies or matches one or more rules, a security alert is generated by the system. Typically, the security alert is then provided to a security monitor for the organization.
Because distinguishing malicious from benign network traffic can be difficult, the rules are often designed to be broadly inclusive. As a result, many security alerts provided to a security monitor are false positives. Organizations often expend significant resources and effort to manually identify true positives in the security alerts provided to a security monitor.